The directories which contain the user pages must be enabled for SSI
(server side includes). This is a major security hole if untrusted
people can alter pages in these directories. Only enable SSI for
directories where it is needed. You can put the statement which enables
it into per directory directives in the apache http server
configuration file, for example, like this (snipped from /etc/httpd/conf/httpd.conf:
This also suggests to put all ActionApps user pages into a common directory structure and not into the normal user's htdocs tree, so control over the pages can easily be separated.
<Directory /home/httpd/html/apc-aa/user-x/>
Options +Includes
</Directory>
The http server must be able to access the include/config.php
file, but this file contains passwords, so it should not be world
readable.
Other possible common solution for this is that you create a
unix group for your http server and make the config.php
file belong to that group and be group readable. Before you do this,
make sure that it's safe to change the group apache is running under -
there may be other programs and setups that rely on this setting
!!! The steps to do this would be:
# groupadd -r www
/etc/httpd/conf/httpd.conf and alter the line
to
Group nobody
Group www
config.php and restart
the server.
# chown root.www /home/httpd/html/apc-aa/include/config.php
# chmod 640 /home/httpd/html/apc-aa/include/config.php
# /etc/rc.d/init.d/httpd stop
# /etc/rc.d/init.d/httpd start